Analysis
-
max time kernel
95s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2025, 18:30
Behavioral task
behavioral1
Sample
CAAAAFBKFI.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
CAAAAFBKFI.exe
Resource
win10v2004-20250217-en
General
-
Target
CAAAAFBKFI.exe
-
Size
2.7MB
-
MD5
62f9ab4067af92388be75b2cf9956e20
-
SHA1
3f9040c33118341edb168689ad852f1cddd0309e
-
SHA256
c980444331ca7db229839e93c88dded4001943f0b71ec00d41f6ad3e76f5afb9
-
SHA512
47d881354cb8a99c54d8d92aea277d3c3d20508659378628aa9e606509e9ce8697214f0c00636d3f580d20cb6dab6b73e565cfbbd5dfb73201a7d43a9c7a4361
-
SSDEEP
49152:NamswIRUiME1+bu5kfl9KYhm8vKy/VLmtrShqFatM7XZhak:YmQ288iy9LxhQD7XZha
Malware Config
Signatures
-
Detects HijackLoader (aka IDAT Loader) 2 IoCs
resource yara_rule behavioral2/memory/2272-0-0x0000000000400000-0x00000000006B1000-memory.dmp family_hijackloader behavioral2/memory/2272-12-0x0000000000400000-0x00000000006B1000-memory.dmp family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2272 set thread context of 3736 2272 CAAAAFBKFI.exe 86 PID 3736 set thread context of 4888 3736 cmd.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3552 4888 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CAAAAFBKFI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2272 CAAAAFBKFI.exe 2272 CAAAAFBKFI.exe 3736 cmd.exe 3736 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2272 CAAAAFBKFI.exe 3736 cmd.exe 3736 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4888 MSBuild.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2272 wrote to memory of 3736 2272 CAAAAFBKFI.exe 86 PID 2272 wrote to memory of 3736 2272 CAAAAFBKFI.exe 86 PID 2272 wrote to memory of 3736 2272 CAAAAFBKFI.exe 86 PID 2272 wrote to memory of 3736 2272 CAAAAFBKFI.exe 86 PID 3736 wrote to memory of 4888 3736 cmd.exe 92 PID 3736 wrote to memory of 4888 3736 cmd.exe 92 PID 3736 wrote to memory of 4888 3736 cmd.exe 92 PID 3736 wrote to memory of 4888 3736 cmd.exe 92 PID 3736 wrote to memory of 4888 3736 cmd.exe 92 PID 3736 wrote to memory of 4888 3736 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\CAAAAFBKFI.exe"C:\Users\Admin\AppData\Local\Temp\CAAAAFBKFI.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 9604⤵
- Program crash
PID:3552
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4888 -ip 48881⤵PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
710KB
MD5d4744f5ec3e5058260d817196f000c23
SHA17bfcc60c847ae3c63cb001085bca707c3876f8a5
SHA256fac30dc05dd851772e82005f850f515ec52369c6e8a90c9252f9fa99bee2296e
SHA5124be00dea4aeceecc8052b73fb08117d16fe3aa8f1ddec060af4c36af97b938e4eef2605e8a44539668d98e913f1e23ffe0cb37fa1d2a9408cd152000491a1f3e